Searching Victims

Overview

The Search screen in ThreatConnect® provides a single location to search and browse your data. You can search all object types in your ThreatConnect dataset using keywords or phrases, or you can browse threat intelligence data by object type and filter those data to a usable and relevant subset based on details like name/summary, object subtype, owner, and metadata such as Tags, Security Labels, and Attributes.

On the Search: Victims screen, you can search and filter all Victims in your ThreatConnect owners using basic search queries or using advanced search queries written in ThreatConnect Query Language (TQL). You can also create Victims, delete Victims individually, and further investigate Victims that are of interest to you.

Before You Start

User Roles

• To view and search Victims in an Organization, your user account can have any Organization role.
• To view and search Victims in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
• To delete Victims in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To delete Victims in a Community or Source, your user account must have a Community role of Editor or Director for that Community or Source.

Viewing All Victims

When you first open the Search: Victims screen, it displays a table listing all Victims in your ThreatConnect owners. You can access the Search: Victims screen by selecting Victims from the Search & Create dropdown on the top navigation bar or by selecting the Victims filter in the left sidebar of the Search screen.

To view more details about a Victim, do one of the following:

• Click the Victim’s table row, or click the Victim’s ⋯ menu and select View Details, to open the Victim’s Details drawer.
• Click the Victim’s name/summary to open the Victim’s Details screen.

Hint

You can adjust the columns displayed in the table on the Search: Victims screen by clicking Select columnsin the upper right, selecting the columns to display, and clicking Apply.

Searching and Filtering Victims

On the Search: Victims screen, you can search and filter Victims in your ThreatConnect owners by running the following types of searches:

• Basic search
• Advanced search
• Search using a saved query

To remove all filters and search criteria applied on the Search: Victims screen, click Clear all filters & searchin the upper right.

Running Basic Searches

A basic search lets you search Victims using the search bar and Filtersmenu on the Search: Victims screen. Follow these steps to run a basic search of Victims on the Search: Victims screen:

1. From the Search & Create dropdown on the top navigation bar, select Victims.
2. Configure a basic search query by doing the following:
   • Enter text into the search bar to search Victims by name/summary. To run a contains search, leave the Exact Match checkbox cleared. To run an exact match search, select the Exact Match checkbox.
   • Use the owner dropdown and Filtersmenu to filter Victims by owner and Victim metadata, respectively.

As you configure a basic search query, the results table updates automatically based on the current search criteria.

Searching by Name/Summary

When searching Victims by name/summary on the Search: Victims screen, you can run two types of searches: contains and exact match.

Contains Search

A contains search lets you filter Victims based on whether their name/summary contains the text entered into the search bar on the Search: Victims screen. Use a contains search when you want to filter your dataset to find Victims that relate to a common keyword or phrase. Table 1 describes the search result behavior of a contains search for jane doe.

To run a contains search on the Search: Victims screen, enter text into the search bar and leave the Exact Match checkbox cleared.

Exact Match Search

An exact match search lets you filter Victims based on whether their name/summary is an exact match to the text entered into the search bar on the Search: Victims screen. Use an exact match search when you want to search a large dataset for a specific object, as this type of search yields a more targeted set of search results. Table 2 describes the search result behavior of an exact match search for jane doe.

To run an exact match search on the Search: Victims screen, enter text into the search bar and select the Exact Match checkbox to the right of the search bar or surround the phrase in straight quotes.

Filtering Victims

The Search: Victims screen provides the following options for filtering Victims when running basic searches:

• The owner dropdown next to the Exact Match checkbox lets you filter Victims by one or more owners. Victims are filtered automatically as you select options in the dropdown.
• The Filtersmenu lets you filter Victims by Victim metadata. After selecting and configuring filters, click Apply. Victims may be filtered by the following metadata:
  • Tags
  • Organization
  • Sub-Organization
  • Nationality
  • Work Location
  • Security Labels
  • Attributes (+ Add Filter option at the lower left of the Filtersmenu)

Running Advanced Searches

An advanced search lets you search and filter Victims using a query written in ThreatConnect Query Language (TQL). Advanced searches enable you to perform highly targeted searches of Victims using criteria that cannot be defined when running basic searches.

Follow these steps to run an advanced search of Victims on the Search: Victims screen:

1. From the Search & Create dropdown on the top navigation bar, select Victims.
2. Turn on the Advanced Search toggle above the search bar.
3. Enter a TQL query into the search bar. If you configured a basic search query before turning on the Advanced Search toggle, the query will be converted into a TQL query and populated in the search bar automatically.
   Note

   If you configured Attribute filters in a basic search query, the converted advanced search query will use the Attribute Type’s name in the attribute parameter by default (e.g., attributeFinancial_Impact). However, if the Attribute Type’s name contains characters other than letters, numbers, and spaces, the advanced search query will use the Attribute Type’s ID number instead of its name in the attribute parameter (e.g., attribute123). For more information on the attribute parameter, see the “Query for Attributes” section in Constructing Query Expressions.
   Hint

   You can use the TQL Generator to translate plain-English prompts into TQL queries.
4. Click Searchto the right of the search bar, or press Enter on your keyboard, to run your search.
   Note

   If a TQL query is invalid, you can hover over the validator on the left side of the search bar to view the corresponding error message.
   Note

   If you run an advanced search using a query that matches a saved query, the saved query will be selected in the Select Saved Query… dropdown automatically.

Running Searches Using Saved Queries

When using the basic or advanced search features on the Search: Victims screen, you can run a search using a saved query. Follow these steps to use a saved query to search Victims on the Search: Victims screen:

1. From the Search & Create dropdown on the top navigation bar, select Victims.
2. From the Select Saved Query… dropdown in the upper right, select a saved query to run.

After you select a saved query, the Advanced Search toggle turns on and a search using the selected query runs automatically.

Sorting Victims

You can sort Victims by any of the table columns except for the Tags column. By default, Victims are sorted by the Name/Summary column in alphabetical order.

Victim Options

A Victim’s ⋯ menu provides the following options for managing and analyzing the Victim:

• View Details: Open the Victim’s Details drawer.
  Hint

  You can also open the Victim’s Details drawer by clicking on its table row.
• Delete: Delete the Victim from its owner. This option is available only if your user account has permission to delete Victims in the Victim’s owner.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.

20075-13 v.01.A